Tokenisation of Cards

Tokenisation of cards is a security mechanism mandated by the Reserve Bank of India (RBI) — effective October 2022 — that replaces a cardholder's actual debit or credit card number with a unique, randomly generated digital token for online and in-store transactions, eliminating the need for merchants and payment aggregators to store the original card data on their servers. In a tokenised transaction, the payment network (Visa, Mastercard, RuPay) issues a unique token that is specific to a device-merchant combination — the token is used for transaction processing, while the actual card number never leaves the bank's secure environment. This significantly reduces the risk of card data theft from merchant databases, payment gateway breaches, and phishing attacks — even if a merchant's system is compromised, the stolen tokens are useless without the corresponding cryptographic key held by the payment network. RBI's CoFT (Card on File Tokenisation) framework required all payment aggregators, payment gateways, and merchants to delete stored card data and transition to tokenised transactions by October 1, 2022. For Indian investors and consumers, tokenisation provides enhanced payment security with no change in user experience — the tokenised transaction process is seamless and transparent, with the additional security layer operating entirely in the background within the payment infrastructure.